b' Department of Health and Human Services\n                   OFFICE OF\n              INSPECTOR GENERAL\n\n\n\n\nREVIEW OF MEDICARE CONTRACTOR\n     INFORMATION SECURITY\n   PROGRAM EVALUATIONS FOR\n       FISCAL YEAR 2010\n\n    Inquiries about this report may be addressed to the Office of Public Affairs at\n                             Public.Affairs@oig.hhs.gov.\n\n\n\n\n                                                  Daniel R. Levinson\n                                                   Inspector General\n\n                                                     January 2013\n                                                     A-18-12-30100\n\x0c                        Office of Inspector General\n                                         https://oig.hhs.gov\n\n\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as amended, is\nto protect the integrity of the Department of Health and Human Services (HHS) programs, as well as the\nhealth and welfare of beneficiaries served by those programs. This statutory mission is carried out\nthrough a nationwide network of audits, investigations, and inspections conducted by the following\noperating components:\n\nOffice of Audit Services\n\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting audits with\nits own audit resources or by overseeing audit work done by others. Audits examine the performance of\nHHS programs and/or its grantees and contractors in carrying out their respective responsibilities and are\nintended to provide independent assessments of HHS programs and operations. These assessments help\nreduce waste, abuse, and mismanagement and promote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS, Congress,\nand the public with timely, useful, and reliable information on significant issues. These evaluations focus\non preventing fraud, waste, or abuse and promoting economy, efficiency, and effectiveness of\ndepartmental programs. To promote impact, OEI reports also present practical recommendations for\nimproving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations of fraud and\nmisconduct related to HHS programs, operations, and beneficiaries. With investigators working in all 50\nStates and the District of Columbia, OI utilizes its resources by actively coordinating with the Department\nof Justice and other Federal, State, and local law enforcement authorities. The investigative efforts of OI\noften lead to criminal convictions, administrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG, rendering\nadvice and opinions on HHS programs and operations and providing all legal support for OIG\xe2\x80\x99s internal\noperations. OCIG represents OIG in all civil and administrative fraud and abuse cases involving HHS\nprograms, including False Claims Act, program exclusion, and civil monetary penalty cases. In\nconnection with these cases, OCIG also negotiates and monitors corporate integrity agreements. OCIG\nrenders advisory opinions, issues compliance program guidance, publishes fraud alerts, and provides\nother guidance to the health care industry concerning the anti-kickback statute and other OIG enforcement\nauthorities.\n\x0c                         Notices\n\n\n    THIS REPORT IS AVAILABLE TO THE PUBLIC\n              at https://oig.hhs.gov\n\n Section 8L of the Inspector General Act, 5 U.S.C. App., requires\n that OIG post its publicly available reports on the OIG Web site.\n\nOFFICE OF AUDIT SERVICES FINDINGS AND OPINIONS\n\n The designation of financial or management practices as\n questionable, a recommendation for the disallowance of costs\n incurred or claimed, and any other conclusions and\n recommendations in this report represent the findings and\n opinions of OAS. Authorized officials of the HHS operating\n divisions will make final determination on these matters.\n\x0c                                  EXECUTIVE SUMMARY\n\nBACKGROUND\n\nThe Medicare Prescription Drug, Improvement, and Modernization Act of 2003 added\ninformation security requirements for Medicare administrative contractors (MAC), fiscal\nintermediaries, and carriers to the Social Security Act (the Act). These contractors process and\npay Medicare fee-for-service claims. Each Medicare contractor must have its information\nsecurity program evaluated annually by an independent entity, and these evaluations must\naddress the eight major requirements enumerated in the Federal Information Security\nManagement Act of 2002 (FISMA). To comply with this provision, the Centers for Medicare\n& Medicaid Services (CMS) contracted with PricewaterhouseCoopers (PwC) to evaluate\ninformation security programs at the MACs, fiscal intermediaries, and carriers using a set of\nagreed-upon procedures.\n\nThe Act also requires evaluations of the information security controls for a subset of systems but\ndoes not specify the criteria for these evaluations. To satisfy this requirement, CMS expanded\nthe scope of its evaluations in fiscal year (FY) 2010 to test segments of the Medicare claims\nprocessing systems hosted at the Medicare data centers, which support each of the fiscal\nintermediaries, carriers, and MACs. CMS also contracted with iFed, LLC (iFed), to perform\ntechnical assessments at the two CMS enterprise data centers that process Medicare claims using\nan information security assessment methodology.\n\nThe Inspector General, Department of Health and Human Services, must submit to Congress\nannual reports on the results of these evaluations, to include assessments of their scope and\nsufficiency. This report fulfills that responsibility for FY 2010.\n\nOBJECTIVES\n\nOur objectives were to (1) assess the scope and sufficiency of Medicare contractor information\nsecurity program evaluations and CMS enterprise data center technical assessments and\n(2) report the results of those evaluations and assessments.\n\nSUMMARY OF RESULTS\n\nPwC\xe2\x80\x99s evaluations of the contractor information security programs were adequate in scope and\nwere sufficient. PwC reported a total of 303 gaps at 21 Medicare contractors. iFed\xe2\x80\x99s assessment\nfor one of the two enterprise data centers was adequate in scope and was sufficient, but for the\nother center, we could not determine whether the scope and sufficiency of the review were\nadequate. iFed reported a total of 51 gaps at the 2 enterprise data centers.\n\nAssessment of Scope and Sufficiency\n\nPwC\xe2\x80\x99s evaluations of the contractor information security programs adequately encompassed in\nscope and sufficiency the eight FISMA requirements referenced in the Act.\n\n\n\n                                                i\n\x0ciFed\xe2\x80\x99s evaluation of the information security controls at one of the two enterprise data centers\ntested was adequate in scope and was sufficient. However, for the other enterprise data center,\nwe could not determine whether the scope and sufficiency of the review were adequate because\nof issues with the working papers, such as lack of evidence that all testing procedures had been\ncompleted and that all identified weaknesses were adequately supported.\n\nResults of Evaluations\n\nThe results of the contractor information security program evaluations and enterprise data center\ntechnical assessments are presented in terms of gaps, which are defined as the differences\nbetween FISMA or CMS core security requirements and the contractors\xe2\x80\x99 implementation of\nthem.\n\nResults of Contractor Information Security Program Evaluations\n\nIn the 21 PwC evaluation reports for FY 2010, which covered all MACs, fiscal intermediaries,\nand carriers, PwC identified a total of 303 gaps, which it consolidated into 90 findings. The\ncontractors are responsible for developing a corrective action plan for each gap or finding. The\nnumber of gaps per contractor ranged from 6 to 22 and averaged 14. The most gaps occurred in\nthe following FISMA control areas: policies and procedures to reduce risk (74 gaps at 21\ncontractors), testing of information security controls (62 gaps at 21 contractors), security\nprogram and system security plans (49 gaps at 21 contractors), incident response (39 gaps at 19\ncontractors), and continuity of operations planning (35 gaps at 18 contractors). There was an\nincrease in the number of gaps in FY 2010, some of which was due to the expansion of testing\nthat PwC performed at each contractor. CMS is responsible for tracking each finding until it is\nremediated.\n\nResults of Enterprise Data Center Technical Assessments\n\nThe 2 Medicare enterprise data center technical assessment reports prepared by iFed identified a\ntotal of 51 gaps (10 gaps at 1 data center, 41 at the other data center). Most of the gaps occurred\nin the following security control categories: access control (26 gaps at 2 data centers), system\nand communications protection (10 gaps at 2 data centers), and identification and authentication\n(9 gaps at 1 data center).\n\nOf the 51 gaps iFed identified at the 2 enterprise data centers, 27 gaps were resolved and closed\nduring or after iFed\xe2\x80\x99s onsite visits. Hence, a total of 24 gaps at data centers required corrective\naction in FY 2010. The contractors are responsible for developing a corrective action plan for\neach gap, which CMS tracks until the gap is remediated.\n\nRECOMMENDATION\n\nWe recommend that CMS ensure that its enterprise data center technical assessments are\nadequately supported.\n\n\n\n\n                                                 ii\n\x0cCENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n\nIn written comments to our draft report, CMS concurred with our recommendation. CMS also\nstated that it would take the appropriate actions to address the identified issues. We have\nincluded CMS\xe2\x80\x99s comments in their entirety as Appendix D.\n\n\n\n\n                                             iii\n\x0c                                                  TABLE OF CONTENTS\n\n                                                                                                                             Page\n\nINTRODUCTION............................................................................................................. 1\n\n          BACKGROUND .....................................................................................................1\n              The Medicare Program ................................................................................. 1\n              Medicare Prescription Drug, Improvement, and Modernization\n               Act of 2003 ................................................................................................ 1\n              Centers for Medicare & Medicaid Services Evaluation Process\n               for Fiscal Year 2010................................................................................... 2\n\n          OBJECTIVES, SCOPE, AND METHODOLOGY .................................................3\n              Objectives ..................................................................................................... 3\n              Scope ............................................................................................................. 3\n              Methodology ................................................................................................. 3\n\nRESULTS OF REVIEW .................................................................................................. 4\n\n          ASSESSMENT OF SCOPE AND SUFFICIENCY ................................................4\n\n          RESULTS OF MEDICARE CONTRACTOR INFORMATION SECURITY\n          PROGRAM EVALUATIONS.................................................................................4\n              Policies and Procedures To Reduce Risk...................................................... 6\n              Testing of Information Security Controls ..................................................... 6\n              Security Program and System Security Plans ............................................... 7\n              Incident Detection, Reporting, and Response ............................................... 8\n              Continuity of Operations Planning ............................................................... 8\n\n          RESULTS OF ENTERPRISE DATA CENTER TECHNICAL\n          ASSESSMENTS ......................................................................................................9\n              Access Control ............................................................................................ 10\n              System and Comunications Protection ....................................................... 11\n              Identification and Authentication ............................................................... 11\n\n          CONCLUSION ......................................................................................................12\n\n          RECOMMENDATION .........................................................................................12\n\n          CENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS ..........12\n\nAPPENDIXES\n\n        A: LIST OF GAPS BY FEDERAL INFORMATION SECURITY MANAGEMENT ACT\n           OF 2002 CONTROL AREA AND MEDICARE CONTRACTOR\n\n\n                                                                     iv\n\x0cB: RESULTS OF MEDICARE CONTRACTOR EVALUATIONS FOR FEDERAL\n   INFORMATION SECURITY MANAGEMENT ACT OF 2002 CONTROL AREAS\n   WITH THE GREATEST NUMBER OF GAPS\n\nC: LIST OF GAPS BY NATIONAL INSTITUTE OF STANDARDS AND\n   TECHNOLOGY SECURITY CONTROL AREA AND ENTERPRISE DATA\n   CENTER\n\nD: CENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n\n\n\n\n                            v\n\x0c                                            INTRODUCTION\n\nBACKGROUND\n\nThe Medicare Program\n\nThe Centers for Medicare & Medicaid Services (CMS) administers the Medicare program.\nMedicare is a health insurance program for people age 65 or older, people under age 65 with\ncertain disabilities, and people of all ages with end-stage renal disease. In fiscal year (FY) 2010,\nMedicare paid more than $447 billion on behalf of more than 47 million Medicare beneficiaries.\nCMS contracts with Medicare Administrative Contractors (MAC), fiscal intermediaries, and\ncarriers to administer Medicare benefits paid on a fee-for-service basis. CMS uses enterprise\ndata centers to process all Medicare fee-for-service claims.\n\nIn FY 2010, 11 distinct entities served as fiscal intermediaries, carriers, and Part A/B MACs.\nTwo external entities operated enterprise data centers to process all Medicare fee-for-service\nclaims. Thus, 13 distinct entities processed and paid Medicare fee-for-service claims.\n\nMedicare Prescription Drug, Improvement, and Modernization Act of 2003\n\nThe Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) added\ninformation security requirements for MACs, fiscal intermediaries, and carriers to section 1874A\nof the Social Security Act (the Act). 1 (See 42 U.S.C. \xc2\xa7 1395kk-1.) Pursuant to section\n1874A(e)(2)(A) of the Act, each MAC, fiscal intermediary, and carrier must have its information\nsecurity program evaluated annually by an independent entity. This section requires that these\nevaluations address the eight major requirements enumerated in the Federal Information Security\nManagement Act of 2002 (FISMA). (See 44 U.S.C. \xc2\xa7 3544(b).) These requirements, referred to\nas \xe2\x80\x9cFISMA control areas\xe2\x80\x9d in this report, are:\n\n        1. periodic risk assessments;\n\n        2. policies and procedures to reduce risk;\n\n        3. security program and system security plans;\n\n        4. security awareness training;\n\n        5. testing of information security controls;\n\n        6. remedial actions;\n\n\n\n\n1\n The MMA contracting reform provisions added to section 1874A of the Act replace existing fiscal intermediaries\nand carriers with MACs, which are competitively selected. Until all MACs are in place, the requirements of\nsection 1874A also apply to fiscal intermediaries and carriers.\n\n                                                       1\n\x0c       7. incident detection, reporting, and response; and\n\n       8. continuity of operations planning.\n\nSection 1874A(e)(2)(A)(ii) of the Act requires that the effectiveness of information security\ncontrols be tested for an appropriate subset of Medicare contractors\xe2\x80\x99 information systems.\nHowever, this section does not specify the criteria for evaluating these security controls.\n\nAdditionally, section 1874A(e)(2)(C)(ii) of the Act requires the Inspector General of the\nDepartment of Health and Human Services to submit to Congress annual reports on the results of\nsuch evaluations, including assessments of their scope and sufficiency. This report fulfills that\nresponsibility for FY 2010.\n\nCenters for Medicare & Medicaid Services Evaluation Process for Fiscal Year 2010\n\nCMS developed agreed-upon procedures (AUP) for the program evaluation based on the\nrequirements of section 1874A(e)(1) of the Act, FISMA, information security policy and\nguidance from the Office of Management and Budget and the National Institute of Standards and\nTechnology (NIST), and the Government Accountability Office\xe2\x80\x99s (GAO) Federal Information\nSystems Controls Audit Manual (FISCAM). In FY 2010, 11 distinct entities served as fiscal\nintermediaries, carriers, and MACs. The independent auditors, PricewaterhouseCoopers (PwC),\nunder contract with CMS, used the AUPs to evaluate the information security programs at the 11\nentities. Many of the entities had multiple contracts with CMS to fulfill their responsibilities as\nMedicare fiscal intermediaries, carriers, A/B MACs, and Durable Medical Equipment MACs.\nTesting was performed for each of the contracts. As a result, PwC performed evaluations and\nissued separate reports for 21 fiscal intermediaries, carriers, and MACs.\n\nTo comply with the section 1874A(e)(2)(A)(ii) requirement to test the effectiveness of\ninformation security controls for an appropriate subset of contractors\xe2\x80\x99 information systems, CMS\nexpanded the scope of its AUP evaluations in FY 2010 to test segments of the Medicare claims\nprocessing systems hosted at the Medicare data centers, which support each of the fiscal\nintermediaries, carriers, and MACs. Medicare data centers are used for \xe2\x80\x9cfront-end\xe2\x80\x9d\npreprocessing of claims received from providers and \xe2\x80\x9cback-end\xe2\x80\x9d issuing of payments to\nproviders after claims have been adjudicated. PwC performed additional testing to eliminate the\nneed to contract with another entity to perform the assessments that had previously been\nperformed at the fiscal intermediaries, carriers, and MAC data centers. In addition, CMS\ncontracted with iFed, LLC (iFed), to plan, develop, and implement a comprehensive program to\nperform testing of information security controls at the two CMS enterprise data centers, which\nare used to process and adjudicate all Medicare claims. iFed performed the assessments and\nissued separate reports for each of the two enterprise data centers.\n\nThe results of the contractor information security program evaluations and enterprise data center\ntechnical assessments are presented in terms of gaps, which are defined as the differences\nbetween FISMA or CMS core security requirements and the contractors\xe2\x80\x99 implementation of\nthem. In some instances, PwC combined multiple gaps into one finding. PwC assigned impact\nlevels to each of the findings, and iFed assigned risk levels to each of the gaps. The contractors\n\n                                                 2\n\x0care responsible for developing a corrective action plan for each gap or finding, which is tracked\nby CMS.\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nObjectives\n\nOur objectives were to (1) assess the scope and sufficiency of Medicare contractor information\nsecurity program evaluations and data center technical assessments and (2) report the results of\nthose evaluations and assessments.\n\nScope\n\nWe evaluated the FY 2010 results of the independent evaluations and technical assessments of\nMedicare contractors\xe2\x80\x99 information security programs. Our review did not include an evaluation\nof internal controls. We performed our reviews of PwC and iFed working papers at CMS\nheadquarters in Baltimore, Maryland, and at Office of Inspector General regional offices.\n\nMethodology\n\nTo accomplish our objectives, we performed the following steps:\n\n        \xe2\x80\xa2    To assess the scope of the evaluations of contractor information security programs,\n             we determined whether the AUPs included the eight FISMA control requirements\n             enumerated in section 1874A(e)(1) of the Act.\n\n        \xe2\x80\xa2    To assess the sufficiency of the evaluations of contractor information security\n             programs, we reviewed PwC working papers supporting the evaluation reports to\n             determine whether PwC sufficiently addressed all areas required by the AUPs. We\n             also determined whether all security-related weaknesses were included in the PwC\n             reports by comparing supporting documentation with the reports and whether all\n             findings in the PwC reports were adequately supported by comparing the reports with\n             the PwC working papers.\n\n        \xe2\x80\xa2    To assess the scope of the enterprise data center technical assessments, we reviewed\n             the contract and statement of work between CMS and iFed and verified that iFed\n             performed the work that CMS had specified.\n\n        \xe2\x80\xa2    To assess the sufficiency of the enterprise data center technical assessments, we\n             reviewed working papers to verify that iFed completed all test procedures, reported\n             all medium- and high-risk gaps, and adequately supported all reported results with\n             sufficient and appropriate evidence.\n\n        \xe2\x80\xa2    To report on the results of the evaluations and technical assessments, we aggregated\n             the results contained in the individual contractor evaluation reports and data center\n             technical assessment reports. For the PwC evaluations, we used the number of gaps\n\n                                                  3\n\x0c           listed in the individual contractor evaluation reports to aggregate the results. For the\n           iFed technical assessments, we used the gaps listed in the individual technical\n           assessment reports to aggregate the results.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards, except that we did not obtain comments from PwC or iFed. Those standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives. We believe that\nthe evidence obtained provides a reasonable basis for our findings and conclusions based on our\naudit objectives.\n\n                                    RESULTS OF REVIEW\n\nPwC\xe2\x80\x99s evaluations of the contractor information security programs were adequate in scope and\nwere sufficient. PwC reported a total of 303 gaps, which resulted in 168 findings at 21 Medicare\ncontractors. For the 11 entities that encompass the 21 contracts, there were a total of 166 gaps\nresulting in 90 findings. iFed reported a total of 51 gaps at the 2 enterprise data centers. One of\nthe two enterprise data center technical assessments performed by iFed was adequate in scope\nand was sufficient. However, for the other enterprise data center, we could not determine\nwhether the scope and sufficiency of the review were adequate because of problems with the\nworking papers, such as a lack of evidence that all testing procedures had been completed or that\nidentified weaknesses were adequately supported.\n\nASSESSMENT OF SCOPE AND SUFFICIENCY\n\nPwC\xe2\x80\x99s evaluations of the contractor information security programs adequately encompassed in\nscope and sufficiency the eight FISMA requirements referenced in section 1874A(e)(1) of the\nAct.\n\nThe scope of the work and sufficiency of documentation for all reported gaps were adequate for\nthe one of the two enterprise data center technical assessments. CMS\xe2\x80\x99s contract with iFed\nprovided for the planning, development, and implementation of a comprehensive program to\nperform testing of information security controls at enterprise data centers. However, the test plan\ndocumentation supplied by iFed for one enterprise data center did not contain sufficient evidence\nthat all of the testing procedures had been performed. Additionally, we were unable to trace all\ngaps presented in iFed\xe2\x80\x99s report to supporting documentation in the working papers. CMS did not\nensure that all iFed working papers were complete for all tests and that all gaps were adequately\nsupported in the working papers.\n\nRESULTS OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM\nEVALUATIONS\n\nAs shown in Table 1, the 21 evaluation reports identified a total of 303 gaps. The number of\ngaps per contractor ranged from 6 to 22 and averaged 14. See Appendix A for a list of gaps per\ncontrol area by contractor.\n\n\n\n                                                 4\n\x0c                         Table 1: Range of Medicare Contractor Gaps\n                                                Number of Contractors With\n                 Number of        Total      0    1-5      6\xe2\x80\x9310    11-15   16+\n         FY      Contractors      Gaps      Gaps Gap(s) Gaps       Gaps    Gaps\n        2010         21            303       0     0         2      10      9\n\nThe total number of gaps reported increased from 94 in FY 2009 to 303 in FY 2010. Some of\nthis increase was due to PwC\xe2\x80\x99s expanded testing in FY 2010. PwC expanded its testing to\ninclude the Medicare claims processing systems hosted at the Medicare data centers. New\ntesting included review of network management controls and a network attack and penetration\ntest at the Medicare data centers.\n\nTable 2 summarizes the gaps found in each FISMA control area in FY 2010.\n\nTable 2: Gaps by Federal Information Security Management Act Control Area in FY 2010\n                                    Impact Levels\n                                      of FISMA                             No. of Contractors\n               FISMA                Control Area         No. of Gaps       With One or More\n            Control Area            Subcategories         Identified             Gap(s)\n     Policies and procedures to\n                                          High                 74                   21\n     reduce risk\n     Testing of information\n                                          High                 62                   21\n     security controls\n     Security program and\n                                     High/Medium               49                   21\n     system security plans\n     Incident detection,\n                                          High                 39                   19\n     reporting, and response\n     Continuity of operations\n                                     High/Medium               35                   18\n     planning\n     Security awareness\n                                        Medium                 28                   15\n     training\n     Periodic risk assessments       High/Medium                9                    9\n     Remedial actions                    High                   7                    3\n       Total                                                  303\n\nThe Medicare contractor information security program evaluations covered several subcategories\nwithin each FISMA control area. The \xe2\x80\x9cimpact level\xe2\x80\x9d shown in Table 2 refers to the possible\nlevel of adverse impact that could result from successful exploitation of gaps in any of the\nsubcategories depending on the organization\xe2\x80\x99s mission and criticality and the sensitivity of the\nsystems and data involved. The actual ratings assigned to the subcategories were all high or\nmedium impact and were PwC\xe2\x80\x99s assessments. Individual findings were assigned an overall risk\nlevel on a subjective basis by PwC after considering the impact and likelihood of occurrence.\nHowever, as stated in NIST Special Publication (SP) 800-115, Technical Guide to Information\nSecurity Testing and Assessment, section 4.3, it is difficult to identify the risk level of individual\nvulnerabilities because they rarely exist in isolation.\n\n                                                  5\n\x0cThe following sections discuss the five FISMA control areas containing the most gaps. See\nAppendix B for descriptions of each subcategory tested for the five control areas.\n\nPolicies and Procedures To Reduce Risk\n\nAccording to NIST SP 800-53, Recommended Security Controls for Federal Information\nSystems and Organizations:\n\n         \xe2\x80\xa6the management of risk is a key element in the organization\xe2\x80\x99s information\n         security program and provides an effective framework for selecting the\n         appropriate security controls for an information system\xe2\x80\x94the security controls\n         necessary to protect individuals and the operations and assets of the organization.\n         The risk-based approach to security control selection and specification considers\n         effectiveness, efficiency, and constraints taking into account applicable federal\n         laws, Executive orders, directives, policies, regulations, standards, or guidelines.\n\nAll 21 Medicare contractors had from 1 to 4 gaps each. In total, PwC identified 74 gaps in this\narea. Following are examples of gaps in policies and procedures to reduce risk:\n\n    \xe2\x80\xa2    Security policies and procedures did not address or enforce platform security\n         configuration 2 or patch management 3 standards.\n\n    \xe2\x80\xa2    Patch management procedures did not contain a timetable or time line for putting patches\n         or service packs in place based on the severity of the risk associated with the\n         vulnerability to be patched.\n\n    \xe2\x80\xa2    Procedures for applying mainframe updates did not include steps to identify security\n         patches for the mainframe or to apply them within the time line required by CMS.\n\nIneffective policies and procedures to reduce risk could jeopardize an organization\xe2\x80\x99s mission,\ninformation, and information technology assets. Without adequate configuration standards and\nthe latest security patches, systems may be susceptible to exploitation that could lead to\nunauthorized disclosure of data, data modification, or the unavailability of data.\n\nTesting of Information Security Controls\n\nAccording to NIST SP 800-53, Recommended Security Controls for Federal Information\nSystems and Organizations, Control CA-2, the effectiveness of information security policies,\nprocedures, practices, and controls should be tested and evaluated at least annually.\nNIST SP 800-115, section 2.3, notes that security testing enables organizations to measure levels\nof compliance in areas such as patch management, password policy, and configuration\n\n2\n A security configuration is a set of security controls and settings established for an information system that meets\noperational requirements and helps systems operate correctly and securely.\n3\n Patch management is the process of identifying, reporting, and effectively remediating information system flaws in\nan operational system.\n\n                                                          6\n\x0cmanagement. According to GAO\xe2\x80\x99s FISCAM, section 3.3, changes to an application should be\ntested and approved before being put into production.\n\nAll 21 Medicare contractors had from 1 to 5 gaps each related to testing of information security\ncontrols. In total, 62 gaps were identified in this area.\n\nFollowing are examples of gaps in testing of information security controls:\n\n   \xe2\x80\xa2   The contractor\xe2\x80\x99s system software change-control procedures did not reflect the process used\n       to test the different platforms.\n\n   \xe2\x80\xa2   The contractor\xe2\x80\x99s change-control procedures did not include the variation in the process used\n       for firewall changes based on the determined risk level of the change to the firewall.\n\n   \xe2\x80\xa2   Security weaknesses were identified as part of the internal network penetration testing.\n\nWithout a comprehensive program for periodically testing and monitoring of information\nsecurity controls, management has no assurance that appropriate safeguards are in place to\nmitigate identified risks.\n\nSecurity Program and System Security Plans\n\nNIST SP 800-100, Information Security Handbook: A Guide for Managers, section 2.2.5, states\nthat an agency should ensure its information security policy is sufficiently current to\naccommodate the information security environment and the agency mission and operational\nrequirements. NIST SP 800-53, Control PS-3, requires organizations to screen employees before\ngranting access to information and information systems. The Executive Summary of NIST SP\n800-18, Guide for Developing Security Plans for Federal Information Systems, states that\n\xe2\x80\x9csystem security plan[s] should provide an overview of a system\xe2\x80\x99s security requirements and\ndescribe the controls in place or planned for meeting those requirements.\xe2\x80\x9d\n\nAll 21 Medicare contractors had from 1 to 4 gaps each. In total, PwC identified 49 gaps in this\narea.\n\nFollowing are examples of gaps in security program and system security plans:\n\n   \xe2\x80\xa2   The contractor\xe2\x80\x99s internal and external assessments, including audits, controls testing,\n       security reviews, and penetration and vulnerability assessments, were not completed.\n\n   \xe2\x80\xa2   The contractor\xe2\x80\x99s procedures for background investigations did not require completion of\n       background checks before hiring employees and granting them access to systems.\n\n   \xe2\x80\xa2   The contractor\xe2\x80\x99s system security plan did not identify a complete list of platforms that\n       supports Medicare operations.\n\n\n\n                                                 7\n\x0cIf information security program requirements are not implemented and enforced, management\nhas no assurance that established system security controls will be effective in protecting valuable\nassets, such as information, hardware, software, systems, and related technology assets that\nsupport the organization\xe2\x80\x99s critical missions.\n\nIncident Detection, Reporting, and Response\n\nThe Executive Summary of NIST SP 800-61, Computer Security Incident Handling Guide, states\nthat:\n\n       \xe2\x80\xa6computer security incident response has become an important component of\n       information technology programs. Security-related threats have become not only\n       more numerous and diverse but also more damaging and disruptive. New types of\n       security-related incidents emerge frequently. Preventative activities based on the\n       results of risk assessments can lower the number of incidents, but not all incidents\n       can be prevented. An incident response capability is therefore necessary for\n       rapidly detecting incidents, minimizing loss and destruction, mitigating any\n       weaknesses that were exploited, and restoring computing services.\n\nTwo of the twenty-one Medicare contractors had no identified gaps in incident response, while\nthe remaining 19 had 1 to 3 gaps each. In total, PwC identified 39 gaps in this area. Following\nare examples of gaps in incident response:\n\n   \xe2\x80\xa2   The process for maintaining and reviewing system logs was not consistent with CMS\n       requirements.\n\n   \xe2\x80\xa2   System logs were not retained for the amount of time required by CMS and followup of\n       suspicious activities was not performed.\n\n   \xe2\x80\xa2   Reportable incidents were not reported within the required timeframe in accordance with\n       CMS requirements.\n\nKeeping the number of incidents reasonably low is very important to protect the business\nprocesses of the organization. If security controls are insufficient, high volumes of incidents\nmay occur, which could overwhelm the incident response team. This could lead to slow and\nincomplete responses and negative business effects (e.g., extensive damage to computer systems,\nperiods without computer service, and periods when data are unavailable).\n\nContinuity of Operations Planning\n\nAccording to NIST SP 800-34, Contingency Planning Guide for Federal Information Systems,\nsection 2.2, contingency planning represents a broad scope of activities designed to sustain and\nrecover critical information technology services following an emergency. Contingency planning\nfor information systems is part of an overall organizational program for achieving continuity of\noperations for business operations. Physical security controls and media disposal were also\nincluded in the scope of PwC\xe2\x80\x99s testing in this area.\n\n                                                 8\n\x0cThree of the twenty-one Medicare contractors had no identified gaps in continuity of operations\nplanning, while the remaining 18 had 1 to 4 gaps each. In total, PwC identified 35 gaps in this\narea. Following are examples of gaps in continuity of operations planning:\n\n    \xe2\x80\xa2    The contractor did not arrange for an alternate data processing facility.\n\n    \xe2\x80\xa2    The contingency plan was not reviewed, tested, and kept up to date.\n\n    \xe2\x80\xa2    Policies and procedures to address all aspects of data sanitization 4 did not exist.\n\nIf contingency planning activities are inadequate, even relatively minor interruptions of service\ncan result in lost or incorrectly processed data, which can cause financial losses, expensive\nrecovery efforts, and inaccurate or incomplete financial or management information.\n\nRESULTS OF ENTERPRISE DATA CENTER TECHNICAL ASSESSMENTS\n\nThe technical assessment reports for the 2 enterprise data centers identified a total of 51 gaps (10\ngaps at 1 data center, 41 gaps at the second data center). iFed\xe2\x80\x99s testing included a review of\npolicies and procedures of the following five NIST control areas:\n\n    1. Access control\n\n    2. Identification and authentication\n\n    3. Physical and environmental protection\n\n    4. Personnel security\n\n    5. System and communication protection\n\nAt one enterprise data center, iFed\xe2\x80\x99s testing included a limited penetration test and vulnerability\nscans of the data center\xe2\x80\x99s distributed systems and a technical review of its mainframe. At the\nother enterprise data center, iFed performed vulnerability scanning and a limited-scope\nassessment of the mainframe. The additional testing identified gaps in the security control\ncategory of configuration management.\n\niFed assigned each of the gaps to one of the security control areas. In a manner similar to that of\nPwC, iFed categorized the risks associated with the individual gaps as high, medium, or low\nbased on the potential impact and likelihood of exploitation. Of the 51 gaps iFed identified\nacross the 2 enterprise data centers, 8 gaps were high risk, 25 gaps were medium risk, and 18\ngaps were low risk. Twenty-seven gaps were resolved and closed during iFed\xe2\x80\x99s onsite visits or\nbefore iFed issued its reports to the data centers, including 7 high-risk gaps, 10 medium-risk\ngaps, and 10 low-risk gaps. Hence, a total of 24 gaps at data centers required corrective action in\nFY 2010.\n\n4\n Data sanitization is the process of removing data from media so that there is reasonable assurance that the data may\nnot be easily retrieved and reconstructed.\n\n                                                         9\n\x0cTable 3 presents the aggregate results reported for the two data centers. Appendix C shows the\nnumber of reported gaps at each data center by security control area.\n\n                     Table 3: Enterprise Data Center Reported Gaps by\n           National Institute of Standards and Technology Security Control Area\n    Security Control       Total No.    No. of   No. of    No. of     No. of\n          Area              of Gaps     Data     High- Medium- Low-Risk\n                           Identified Centers     Risk      Risk      Gaps\n                                       w/ Gaps    Gaps     Gaps\nAccess control                26          2        2         16         8\nSystem and                     10            2         3            3          4\ncommunications\nprotection\nIdentification and               9           1         3            2          4\nauthentication\nConfiguration                    5           2         0            3          2\nmanagement\nPersonnel security              1            1         0           1           0\n Total                         51                      8          25          18\n\nNote: iFed did not report any gaps in the NIST security control area of physical and\nenvironmental protection.\n\nThe following sections discuss the three security control areas with the highest number of gaps.\n\nAccess Control\n\nAccording to GAO\xe2\x80\x99s FISCAM, section 3.2, access controls limit or detect inappropriate access to\ncomputer resources (data, equipment, and facilities), thereby protecting them from unauthorized\nmodification, loss, and disclosure. Such controls include both logical and physical controls.\n\niFed identified access control gaps at the two enterprise data centers. Following are examples of\ngaps in this area:\n\n    \xe2\x80\xa2   An excessive number of users had the ability to make changes to sensitive system files.\n\n    \xe2\x80\xa2   Users could read sensitive system files that might not have been required by their job\n        function.\n\n    \xe2\x80\xa2   A remote server had shared directories with sensitive data that unauthorized users could\n        read.\n\nInadequate access controls diminish the reliability of computerized data and increase the risk of\ndestruction or inappropriate disclosure of data. Gaps in access control create vulnerabilities in\nthe confidentiality, integrity, and availability of Medicare data and systems. Associated gaps in\n\n\n                                                 10\n\x0cthe configuration of systems software that controls access to systems can make computers\nvulnerable to unauthorized access.\n\nSystem and Communications Protection\n\nAccording to NIST SP 800-53, Recommended Security Controls for Federal Information\nSystems and Organizations, Control SC-8, the information system should protect the integrity of\ntransmitted information. Control SC-4 states that \xe2\x80\x9cthe information system prevents unauthorized\nand unintended information transfer via shared system resources.\xe2\x80\x9d\n\niFed identified system and communication protection control gaps at the two data centers.\nFollowing are examples of gaps in this area:\n\n    \xe2\x80\xa2    The secure socket layer (i.e., protocol for encrypting information over the Internet)\n         certificate used a weak hashing algorithm. 5\n\n    \xe2\x80\xa2    Residual CMS data residing in the direct access storage device could have been reused or\n         recovered by unauthorized persons (e.g., programmers) after erasure from the operating\n         system.\n\nWithout adequate system controls, unauthorized users may gain access to sensitive data through\nunsecured transmissions or devices that have not been fully protected.\n\nIdentification and Authentication\n\nNIST SP 800-53 requires organizations to develop, disseminate, and periodically review or\nupdate identification and authentication policies and procedures. Authentication of an\nindividual\xe2\x80\x99s identity is a fundamental component of physical and logical access control\nprocesses. The information system should uniquely identify and authenticate computer devices\nbefore establishing a connection to an organization\xe2\x80\x99s network.\n\niFed reported identification and authentication control gaps at one of the data centers. Following\nare examples of gaps in this area:\n\n    \xe2\x80\xa2    No process existed for recording, reviewing, or assessing device connection reports.\n\n    \xe2\x80\xa2    A Web server was vulnerable to a cross-site scripting attack 6 because of a software flaw.\n\n\n\n\n5\n  A hashing algorithm is used with a digital signature to provide assurance of origin authentication and data\nintegrity.\n6\n  A cross-site scripting attack occurs when there is a flaw in a Web application that allows an attacker to add content\nto a Web site that can be malicious when viewed by other users of the Web site.\n\n\n                                                          11\n\x0cThese gaps could permit sensitive information on a server to be read by unauthorized\nindividuals, changed in an unauthorized manner, or accessed from an unauthorized device. This\nis a common threat to organizations.\n\nCONCLUSION\n\nThe scope of the work and sufficiency of documentation for all reported gaps were sufficient for\nthe 21 Medicare contractors reviewed by PwC and for one of the two data center technical\nassessments performed by iFed. However, at one data center, the test plan documentation did\nnot contain sufficient evidence that iFed performed all of the testing procedures, nor were we\nable to trace all gaps presented in iFed\xe2\x80\x99s reports to supporting documentation. In addition, we\nwere not able to determine whether iFed included all medium- and high-risk gaps in the report\nbecause of inadequate working paper references in the test scripts. CMS did not ensure that all\niFed working papers were complete for all tests and that all gaps were adequately supported in\nthe working papers. Gaps that are not identified during a data center technical assessment could\nresult in unidentified vulnerabilities that could in turn result in unauthorized access to sensitive\nMedicare data.\n\nRECOMMENDATION\n\nWe recommend that CMS ensure that its enterprise data center technical assessments are\nadequately supported.\n\nCENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n\nIn written comments to our draft report, CMS concurred with our recommendation. CMS also\nstated that it would take the appropriate actions to address the identified issues. We have\nincluded CMS\xe2\x80\x99s comments in their entirety as Appendix D.\n\n\n\n\n                                                 12\n\x0cAPPENDIXES\n\x0c                                APPENDIX A: LIST OF GAPS BY\n                   FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002\n                         CONTROL AREA AND MEDICARE CONTRACTOR\n\n                                             Control Areas (With Impact Levels)\n                                        Security\n                            Policies    Program                                          Incident\n                              and          and                  Testing of              Detection,   Continuity\n              Periodic     Procedures    System     Security   Information              Reporting,       of\n                Risk       To Reduce    Security   Awareness     Security    Remedial      and       Operations\nMedicare     Assessments      Risk        Plans     Training     Controls     Actions   Response      Planning    Total\nContractor     (High)        (High)      (High)    (Medium)       (High)      (High)      (High)       (High)     Gaps\n    1             1            4             2         0            4            0           3            2       16\n    2             1            4             2         0            4            0           3            2       16\n    3             0            3             2         0            3            0           3            2       13\n    4             0            3             2         0            3            0           3            2       13\n    5             0            4             3         1            3            0           3            0       14\n    6             0            4             1         0            3            0           3            4       15\n    7             0            4             1         2            3            0           1            1       12\n    8             0            4             1         2            3            0           1            1       12\n    9             0            4             1         2            3            0           1            1       12\n   10             1            4             4         2            4            0           2            2       19\n   11             1            4             4         0            4            0           2            1       16\n   12             0            4             2         2            2            0           2            1       13\n   13             0            4             2         2            2            0           2            1       13\n   14             0            4             2         2            2            0           2            1       13\n   15             1            3             4         1            3            2           1            2       17\n   16             1            3             4         1            3            2           1            2       17\n   17             1            4             3         2            5            3           2            2       22\n   18             0            1             2         2            1            0           0            0        6\n   19             0            1             1         3            1            0           0            0        6\n   20             1            4             3         2            3            0           2            4       19\n   21             1            4             3         2            3            0           2            4       19\n  Total           9            74           49         28           62           7          39           35       303\n\n         Note: Impact levels for Federal Information Security Management Act of 2002 (FISMA)\n         control areas were derived by PricewaterhouseCoopers by taking the highest value from among\n         the subcategories.\n\x0c                                                                                     Page 1 of 6\n\n     APPENDIX B: RESULTS OF MEDICARE CONTRACTOR EVALUATIONS\n     FOR FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002\n         CONTROL AREAS WITH THE GREATEST NUMBER OF GAPS\n\nThe \xe2\x80\x9cimpact level\xe2\x80\x9d shown in Tables 1 through 5 on the following pages refers to the level of\nadverse impact that could result from successful exploitation of a vulnerability in any of the\nFISMA control areas. Impact can be described as high, medium, or low in light of the\norganization\xe2\x80\x99s mission and criticality and the sensitivity of the systems and data involved.\nPricewaterhouseCoopers assigned a rating of high or medium impact to each of the subcategories\nin the agreed-upon procedures developed by the Centers for Medicare & Medicaid Services\n(CMS). Individual gaps were assigned an overall risk level on a subjective basis by\nPricewaterhouseCoopers after considering the impact of the gaps and likelihood of their\noccurrence.\n\nSubcategories that were added to testing in FY 2010 are designated by an asterisk.\n\x0c                                                                                       Page 2 of 6\n\nPOLICIES AND PROCEDURES TO REDUCE RISK\n\nThe Medicare contractor information security program evaluations assessed seven subcategories\nrelated to policies and procedures to reduce risk. The evaluation reports identified a total of 74\ngaps in this FISMA control area.\n\n                   Table 1: Policies and Procedures To Reduce Risk Gaps\n                                                       Total No. of Gaps         Subcategory\n                       Subcategory                       in This Area            Impact Level\n      Documentation exists that outlines reducing\n 1    the risk exposure identified in periodic risk             0                    High\n      assessments.\n      Systems security controls have been tested\n      and evaluated. The system/network\n 2                                                              2                    High\n      boundaries have been subjected to periodic\n      reviews/audits.\n      All gaps in compliance per CMS\xe2\x80\x99s minimum\n      security requirements are identified in the\n 3                                                              0                    High\n      results of management\xe2\x80\x99s compliance\n      checklist.\n      Security policies and procedures include\n 4    controls to address platform security                    19                    High\n      configurations and patch management.\n      The latest patches have been installed on\n 5*                                                            21                    High\n      contractor\xe2\x80\x99s systems.\n      Security settings included within internal\n 6*   checklists and comply with Defense                       17                    High\n      Information Systems Agency standards.\n      Malicious software protection has been\n      installed on workstations/laptops, is up to\n 7*   date, and is operating effectively, and                  15                    High\n      administrators are alerted of any malicious\n      software identified on workstations/laptops.\n       Total                                                   74\n\n* Subcategory added to testing in FY 2010.\n\x0c                                                                                         Page 3 of 6\n\nTESTING OF INFORMATION SECURITY CONTROLS\n\nThe Medicare contractor information security program evaluations covered seven subcategories\nrelated to the testing of information security controls. The evaluation reports identified a total of\n62 gaps in this FISMA control area.\n\n                    Table 2: Testing of Information Security Controls Gaps\n                                                        Total No. of Gaps           Subcategory\n                        Subcategory                       in This Area              Impact Level\n     Management reports exist for the review and\n     testing of information security policies and\n     procedures, including network risk assessments,\n1                                                               0                        High\n     accreditations and certifications, internal and\n     external audits, security reviews, and penetration\n     and vulnerability assessments.\n     Annual reviews and audits are conducted to\n     ensure compliance with FISMA guidance from\n     the Office of Management and Budget for\n2    reviews of security controls, including logical            5                        High\n     and physical security controls, platform\n     configuration standards, and patch management\n     controls.\n     Remedial action is being taken for issues noted in\n3                                                               1                        High\n     audits.\n4    Change control management procedures exist.                5                        High\n     Change control procedures are tested by\n5                                                              13                        High\n     management to verify they are in use.\n     Systems are configured according to documented\n6*                                                             19                        High\n     security configuration checklists.\n     Weaknesses are identified by PwC during a\n7*                                                             19                        High\n     network attack and penetration test.\n       Total                                                   62\n\n* Subcategory added to testing in FY 2010.\n\x0c                                                                                       Page 4 of 6\n\nSECURITY PROGRAM AND SYSTEM SECURITY PLANS\n\nThe Medicare contractor information security program evaluations assessed 11 subcategories\nrelated to security program and system security plans. The evaluation reports identified a total of\n49 gaps in this FISMA control area.\n\n                Table 3: Security Program and System Security Plan Gaps\n                                                      Total No. of\n                                                      Gaps in This     Subcategory\n                       Subcategory                       Area         Impact Level\n  1 A security plan is documented and approved.             0             High\n  2 The security plan is kept current.                      7            Medium\n    A security management structure has been\n  3                                                         0             High\n    established.\n    Information security responsibilities are clearly\n  4                                                         2             High\n    assigned.\n  5 Owners and users are aware of security policies.        0             High\n    Hiring, transfer, termination, and performance\n  6                                                         0             High\n    policies address security.\n  7 Employee background checks are performed.               7            Medium\n    Security employees have adequate security\n  8                                                         0            Medium\n    training and background.\n    Management has documented that it\n    periodically assesses the appropriateness of\n  9 security policies and compliance with them,           18              High\n    including testing of security policies and\n    procedures.\n    Management ensures that corrective actions are\n 10                                                         1            Medium\n    effectively implemented.\n    Hired, transferred, and terminated employees\n11* have their access properly added, changed, or         14             Medium\n    removed.\n      Total                                               49\n\n* Subcategory added to testing in FY 2010.\n\x0c                                                                                         Page 5 of 6\n\nINCIDENT DETECTION, REPORTING, AND RESPONSE\n\nThe Medicare contractor information security program evaluations assessed five subcategories\nrelated to incident detection, reporting, and response. The evaluation reports identified a total of\n39 gaps in this FISMA control area.\n\n                               Table 4: Incident Response Gaps\n                                                        Total No. of Gaps         Subcategory\n                     Subcategory                          in This Area            Impact Level\n   Management has a process to monitor systems\n 1 and networks for unusual activity or intrusion                 0                    High\n   attempts.\n   Management has procedures to take and has\n 2 taken action in response to unusual activity,                  6                    High\n   intrusion attempts, and actual intrusions.\n   Management processes and procedures include\n 3 reporting of intrusion attempts and intrusions                 0                    High\n   in accordance with FISMA guidance.\n   Policies, procedures, and security configuration\n   checklists related to intrusion detection systems\n   within the network are in place, controls\n4* comply with documented security                               14                    High\n   configuration checklists, and there is a process\n   for monitoring intrusion detection system\n   alerts.\n   Log management procedures have been\n   developed and implemented for specific\n5*                                                               19                    High\n   platforms, and intrusion detection systems have\n   been properly placed and configured.\n     Total                                                       39\n\n* Subcategory added to testing in FY 2010.\n\x0c                                                                                        Page 6 of 6\n\nCONTINUITY OF OPERATIONS PLANNING\n\nThe Medicare contractor information security program evaluations assessed 14 subcategories\nrelated to continuity of operations planning. The evaluation reports identified a total of 35 gaps\nin this FISMA control area.\n\n                       Table 5: Continuity of Operations Planning Gaps\n                                                           Total No. of\n                                                           Gaps in This           Subcategory\n                          Subcategory                         Area                Impact Level\n      Critical data and operations are formally identified\n 1                                                               0                   Medium\n      and prioritized.\n      Resources supporting critical operations are\n 2                                                               0                   Medium\n      identified in contingency plans.\n      Emergency processing priorities have been\n 3                                                               0                     High\n      established.\n      Data and program backup procedures have been\n 4                                                               3                   Medium\n      implemented.\n      Adequate environmental controls have been\n 5                                                               0                     High\n      implemented.\n 6    Staff has been trained to respond to emergencies.              3               Medium\n      Hardware maintenance, problem management, and\n 7    change management procedures exist to help                     2                 High\n      prevent unexpected interruptions.\n      Policies and procedures for disposal of data and\n 8    equipment exist and include applicable Federal                10                 High\n      security and privacy requirements.\n 9    An up-to-date contingency plan is documented.                  2                 High\n      Arrangements have been made for alternate data\n 10                                                                  2               Medium\n      processing and telecommunications facilities.\n 11   The contingency plan is periodically tested.                   2                 High\n      Contingency plan test results are analyzed and\n 12                                                                  0                 High\n      contingency plans adjusted accordingly.\n      Physical security controls exist to protect\n 13                                                                  0                 High\n      information technology resources.\n      Media disposal procedures meet requirements\n      defined by CMS and the National Institute of\n14*                                                                 11               Medium\n      Standards and Technology (NIST), and evidence\n      of disposal of media exists.\n       Total                                                        35\n\n* Subcategory added to testing in FY 2010.\n\x0cAPPENDIX C: LIST OF GAPS BY NATIONAL INSTITUTE OF STANDARDS AND\nTECHNOLOGY SECURITY CONTROL AREA AND ENTERPRISE DATA CENTER\n\n                                    Data Center\n         NIST Security Control\n                 Area                1      2     Total Gaps\n         Access control              6      20       26\n         System and\n         communications\n         protection                  2      8        10\n         Identification and\n         authentication              0      9         9\n         Configuration\n         management                  2      3         5\n         Personnel security          0      1         1\n         Physical and\n         environmental protection    0      0         0\n          Total                     10      41       51\n\x0c                                                                                                                           Page 1 of2\n\n\nAPPENDIX D: CENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n\n\n     /-""\' ... \n\n          ~ \t\n (\n     ,,-sr           DEPARTMENT OF HEALTH & HUMAN SERVICES                                     Camera lor MeOicar8 & MedicaiO Services\n\n\n                                                                                               Admi"istrator\n                                                                                               Washington, DC 20201\n\n\n\n\n                   DATE:          NOV 1 4 101!\n\n                   TO: \t          Daniel R. Levinson\n\n\n\n                   FROM       ~;;~\'m\n                   SUBJE(..i: \t   Offic~of Inspector General (OIG) Draft Report: " Review of Medicare Contractor\n                                  Information Security Program Evaluations for Fiscal Year 2010" (A- lS-12-30100)\n\n\n                   The Centers for Medicare & Medicaid Services (eM S) would like to thank. OIG for the\n                   opportunity to review and comment on the OIG Draft Report referenced above. The objective of\n                   this report is to (l) assess the scope and sufficiency of Medicare contractor informatio n security\n                   program evaluations and e MS Enterprise Data Center (EOC) technical assessments, and (2)\n                   report the results of these evaluations and assess ments.\n\n                   Section H!74 A (e)(2) of Ihe Social Security Act requires that each Medicare contractor have ils\n                   information security program be evaluated annually by an independent e ntity. The resultS are\n                   then submitted to O IG, which is requ ired to submit an annual report to Congress on the results of\n                   these evaluations, including assessments o f the scope and sufficiency of these evaluations. The\n                   OIG found that the scope of work and documentation were sufficient for the Medicare\n                   contractors and one of the two EDCs. However, there were issues concerning test plan\n                   documentation and working IllLper compl etene.~s in perfonning tec hnical assessments alone of\n                   the EDCs. CMS is aware of this finding. The corrective action plans have been completed to\n                   address them. The OIG recommendation and e MS\'s response to the recommendat ion are\n                   discussed below.\n\n                   OIG Recommendatio n\n\n                   The OIG recommends that CMS teChnical assessment management ensure that its e nterprise data\n                   center technical assessme nts are adequately supported.\n\n                   eMS Respo nse\n\n                   The e MS concurs with OIG \'s recommendation for this finding.\n\n                   The eMS has implemented various process improvements designed to ensure that EDC technical\n                   assessments are adequately supported. The follow ing improveme nts are currently in place:\n\x0c                                                                                                       Page 2 of2\n\n\n\n\nPage 2 - Daniel R. Levinson\n\n\xe2\x80\xa2 \t Test plans have been updated and standardized ac ross a!l lechnical assessment platforms.\n    including EDC assessments; and\n\xe2\x80\xa2 \t EDC contractors responsible fot performing technical assessme nts have been providing\n    trai ning covering the tec hnical assessme nt process li nd repo rtin g requi reme nts; lind\n\xe2\x80\xa2 \t Specific repo rti ng and deliverable requirements were updated in the technical assessme nt\n    EOC contrac tor Statement o f Work.\n\nAddit ionally, the contrac tor perfo rmi ng the technical assessments alt he lime of Ihis report has\nbeen replaced. The new contractor has been prov ided specific in~lruc[jons in line with the items\ndocumen ted above to assure thal lechnical assess ments /He appropriately performed.\n\nThe eMS would like to thank OIG fo r Ihe opportuni ty to rev iew Knd comment on this draft\nrepo rt.\n\x0c'